From 9c6158e621b4958740ddd5886b951a75c64feff4 Mon Sep 17 00:00:00 2001
From: Matthieu Saulnier <fantom@fedoraproject.org>
Date: Thu, 12 Jan 2023 18:16:02 +0100
Subject: Add stunnel config in nfsserver role

---
 .../blackbird.home.casperlefantom.net/main.yml     |  2 ++
 .../manchester.home.casperlefantom.net/main.yml    |  2 ++
 host_vars/ns2.casperlefantom.net/main.yml          |  2 ++
 roles/nfsserver/files/stunnel-nfsd@.service        |  9 +++++
 roles/nfsserver/handlers/main.yml                  |  1 +
 roles/nfsserver/handlers/systemd.yml               |  9 +++++
 roles/nfsserver/tasks/fw.yml                       |  7 ++++
 roles/nfsserver/tasks/main.yml                     |  1 +
 roles/nfsserver/tasks/stunnel.yml                  | 36 ++++++++++++++++++++
 roles/nfsserver/templates/nfsd.conf.j2             | 39 ++++++++++++++++++++++
 roles/nfsserver/templates/stunnel-nfsd.socket.j2   | 14 ++++++++
 11 files changed, 122 insertions(+)
 create mode 100644 roles/nfsserver/files/stunnel-nfsd@.service
 create mode 100644 roles/nfsserver/handlers/main.yml
 create mode 100644 roles/nfsserver/handlers/systemd.yml
 create mode 100644 roles/nfsserver/tasks/stunnel.yml
 create mode 100644 roles/nfsserver/templates/nfsd.conf.j2
 create mode 100644 roles/nfsserver/templates/stunnel-nfsd.socket.j2

diff --git a/host_vars/blackbird.home.casperlefantom.net/main.yml b/host_vars/blackbird.home.casperlefantom.net/main.yml
index 477829e..6851bb8 100644
--- a/host_vars/blackbird.home.casperlefantom.net/main.yml
+++ b/host_vars/blackbird.home.casperlefantom.net/main.yml
@@ -51,3 +51,5 @@ peers:
 cockpitname: nsa
 # bittorrent
 btname: bt4
+# nfsserver
+nfsport: "29391"
diff --git a/host_vars/manchester.home.casperlefantom.net/main.yml b/host_vars/manchester.home.casperlefantom.net/main.yml
index 7405f69..e334116 100644
--- a/host_vars/manchester.home.casperlefantom.net/main.yml
+++ b/host_vars/manchester.home.casperlefantom.net/main.yml
@@ -20,3 +20,5 @@ peers:
 cockpitname: nsa
 # bittorrent
 btname: bt1
+# nfsserver
+nfsport: "29351"
diff --git a/host_vars/ns2.casperlefantom.net/main.yml b/host_vars/ns2.casperlefantom.net/main.yml
index ee82bc0..b6e2558 100644
--- a/host_vars/ns2.casperlefantom.net/main.yml
+++ b/host_vars/ns2.casperlefantom.net/main.yml
@@ -13,3 +13,5 @@ imhidden: hzjexvat7cebtabc65p63s6faa44k4u2iqpdrv5yl3pbvjopylqlncyd.onion
 # torrelay
 process:
   - { id: 09, orport: 995 }
+# nfsserver
+nfsport: "29391"
diff --git a/roles/nfsserver/files/stunnel-nfsd@.service b/roles/nfsserver/files/stunnel-nfsd@.service
new file mode 100644
index 0000000..d4fba67
--- /dev/null
+++ b/roles/nfsserver/files/stunnel-nfsd@.service
@@ -0,0 +1,9 @@
+#
+# Ansible managed.
+#
+[Unit]
+Description=NFS over stunnel/TLS server
+
+[Service]
+ExecStart=-/usr/bin/stunnel /etc/stunnel/nfsd.conf
+StandardInput=socket
diff --git a/roles/nfsserver/handlers/main.yml b/roles/nfsserver/handlers/main.yml
new file mode 100644
index 0000000..8db0dde
--- /dev/null
+++ b/roles/nfsserver/handlers/main.yml
@@ -0,0 +1 @@
+- import_tasks: systemd.yml
diff --git a/roles/nfsserver/handlers/systemd.yml b/roles/nfsserver/handlers/systemd.yml
new file mode 100644
index 0000000..00cc177
--- /dev/null
+++ b/roles/nfsserver/handlers/systemd.yml
@@ -0,0 +1,9 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: launch nfsd socket
+  service:
+    name: stunnel-nfsd.socket
+    state: started
+    enabled: no
diff --git a/roles/nfsserver/tasks/fw.yml b/roles/nfsserver/tasks/fw.yml
index ad3d0a4..d4980bb 100644
--- a/roles/nfsserver/tasks/fw.yml
+++ b/roles/nfsserver/tasks/fw.yml
@@ -4,3 +4,10 @@
     permanent: yes
     immediate: yes
     state: enabled
+
+- name: Ouverture port secondaire IPv4 NAT
+  firewalld:
+    port: "{{ nfsport }}/tcp"
+    permanent: yes
+    immediate: yes
+    state: enabled
diff --git a/roles/nfsserver/tasks/main.yml b/roles/nfsserver/tasks/main.yml
index 600b109..b9705ba 100644
--- a/roles/nfsserver/tasks/main.yml
+++ b/roles/nfsserver/tasks/main.yml
@@ -1,2 +1,3 @@
 - import_tasks: crt.yml
+- import_tasks: stunnel.yml
 - import_tasks: fw.yml
diff --git a/roles/nfsserver/tasks/stunnel.yml b/roles/nfsserver/tasks/stunnel.yml
new file mode 100644
index 0000000..4f1b56c
--- /dev/null
+++ b/roles/nfsserver/tasks/stunnel.yml
@@ -0,0 +1,36 @@
+- name: Installation config stunnel
+  template:
+    src: "nfsd.conf.j2"
+    dest: "/etc/stunnel/nfsd.conf"
+    mode: 0644
+
+- name: Installation du service systemd
+  copy:
+    src: "stunnel-nfsd@.service"
+    dest: "/etc/systemd/system/"
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload systemd
+
+- name: Installation du socket systemd
+  template:
+    src: "stunnel-nfsd.socket.j2"
+    dest: "/etc/systemd/system/stunnel-nfsd.socket"
+    mode: 0644
+  notify:
+    - reload systemd
+    - launch nfsd socket
+
+- name: Création du répertoire du chroot
+  file:
+    path: /var/stunnel/chroot/etc
+    state: directory
+
+- name: Création des fichiers du chroot
+  file:
+    path: "/var/stunnel/chroot/etc/{{ item }}"
+    state: touch
+  loop:
+    - hosts.allow
+    - hosts.deny
diff --git a/roles/nfsserver/templates/nfsd.conf.j2 b/roles/nfsserver/templates/nfsd.conf.j2
new file mode 100644
index 0000000..c1e9cf5
--- /dev/null
+++ b/roles/nfsserver/templates/nfsd.conf.j2
@@ -0,0 +1,39 @@
+#
+# {{ ansible_managed }}
+#
+#GLOBAL#######################################################
+
+TIMEOUTidle     =       600
+renegotiation   =       no
+        FIPS    =       no
+        options =       NO_SSLv2
+        options =       NO_SSLv3
+        options =       SINGLE_DH_USE
+        options =       SINGLE_ECDH_USE
+        options =       CIPHER_SERVER_PREFERENCE
+        syslog  =       yes
+        debug   =       5
+        setuid  =       nobody
+        setgid  =       nobody
+        chroot  =       /var/stunnel/chroot
+
+        service =       stunnel-nfsd
+        ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
+        ; echo 'MC-nfsd: ALL EXCEPT 5.6.7.8' >> hosts.deny;
+        ; chcon -t stunnel_etc_t hosts.deny
+
+        curve   =       secp521r1
+        ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+
+#CREDENTIALS##################################################
+
+        verify  =       2
+        CAfile  =       /etc/pki/tls/certs/mon-ca.crt
+        CRLfile =       /etc/pki/tls/certs/crt-crl.pem
+        cert    =       /etc/pki/tls/certs/{{ maindomain }}.nfs.fullchain.crt
+        key     =       /etc/pki/tls/private/{{ maindomain }}.nfs.key
+
+#ROLE#########################################################
+
+        connect =       localhost:2049
diff --git a/roles/nfsserver/templates/stunnel-nfsd.socket.j2 b/roles/nfsserver/templates/stunnel-nfsd.socket.j2
new file mode 100644
index 0000000..32a06d1
--- /dev/null
+++ b/roles/nfsserver/templates/stunnel-nfsd.socket.j2
@@ -0,0 +1,14 @@
+#
+# {{ ansible_managed }}
+#
+[Unit]
+Description=NFS over stunnel/TLS server
+
+[Socket]
+ListenStream={{ nfsport }}
+ListenStream=443
+Accept=yes
+TimeoutSec=600
+
+[Install]
+WantedBy=sockets.target
-- 
cgit